Dietpi-VPN GATEWAY with Pivpn server and Pihole

black00019 · 18 April 2023 08:10

Hi,
I have installed PiVPN Server and PiHole,
I have settings also Dietpi-VPN Protonvpn, and when connect protonvpn, dietpi not connected to internet (ping not work, curl not work)
I tried a fresh installation.
I want also the dietpi-vpn works like a gateway vpn
Anyone help me
thanks

Jappe · 18 April 2023 08:25

Did you have IP forwarding enabled?
cat /proc/sys/net/ipv4/ip_forward
If the outptut is 1, it is enabled.

And can’t you ping anything, or just IPs and no domains?

And you want to connect to your device via dietpi-vpn and the internet connection of your device is going out via the proton tunnel or what is you goal to achieve?

Joulinar · 18 April 2023 08:32

The issue is the 2 VPN running (1 server and 1 client). Usually this is not that simple to setup. It requires manual settings and some iptables rules to ensure correct routing.

Maybe @trendy can have a look

trendy · 18 April 2023 08:58

Yes, sure!
What is the output of:

ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c

Also paste here the tunnel configurations, without the keys, and any up-scripts that are executed when the script comes up.

black00019 · 20 April 2023 19:39

thanks
cat /proc/sys/net/ipv4/ip_forward = 1
ping work only in address on my local network

black00019 · 20 April 2023 19:42

error post later
bye

trendy · 20 April 2023 22:30

From what you have shown I see only one vpn running, most likely is your vpn server on the dietpi.
You need to run all the commands (you missed the iptables) when the vpn client is also up.
If my understanding is correct you want to have one VPN server to connect from the internet and one VPN client to forward all your traffic.

black00019 · 22 April 2023 06:12

root@DietPi:~# ip -4 addr; ip -4 ro list table all; ip -4 ru; iptables-save -c
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.10.5/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.17.0.12/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.17.0.1 dev tun0 
default via 192.168.10.1 dev eth0 onlink 
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1 
10.17.0.0/16 dev tun0 proto kernel scope link src 10.17.0.12 
128.0.0.0/1 via 10.17.0.1 dev tun0 
169.150.218.70 via 192.168.10.1 dev eth0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.5 
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1 
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1 
local 10.17.0.12 dev tun0 table local proto kernel scope host src 10.17.0.12 
broadcast 10.17.255.255 dev tun0 table local proto kernel scope link src 10.17.0.12 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 
local 192.168.10.5 dev eth0 table local proto kernel scope host src 192.168.10.5 
broadcast 192.168.10.255 dev eth0 table local proto kernel scope link src 192.168.10.5 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
# Generated by iptables-save v1.8.7 on Sat Apr 22 08:09:26 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[2532690:2916344140] -A FORWARD -j DOCKER-USER
[2532690:2916344140] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 2525 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[2532690:2916344140] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[3627671:4237369580] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Apr 22 08:09:26 2023
# Generated by iptables-save v1.8.7 on Sat Apr 22 08:09:26 2023
*nat
:PREROUTING ACCEPT [1261303:157504509]
:INPUT ACCEPT [1243120:151148706]
:OUTPUT ACCEPT [751071:61306343]
:POSTROUTING ACCEPT [751071:61306343]
:DOCKER - [0:0]
[871756:106443388] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[18183:6355803] -A POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 2525 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2520 -j DNAT --to-destination 172.17.0.2:2525
COMMIT
# Completed on Sat Apr 22 08:09:26 2023

trendy · 23 April 2023 08:24

Add a new routing table, needs to be done once.

echo '10 isp' >> /etc/iproute2/rt_tables

You need to masquerade the traffic from the wg to the vpn tunnel.

iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o tun0 -m comment --comment wireguard-nat-rule-2 -j MASQUERADE`

Then you need to make a rule for the wg-server traffic and send that traffic to the new routing table

ip route add to default via 192.168.10.1 table isp
ip rule add iif lo sport 51820 to default lookup isp prio 15000

Change 51820 with the wireguard source port you are using. These commands should be part of the up-script for the vpn-client connection.

black00019 · 23 April 2023 13:40

Thanks you
With this changes;
when i disconnect my protonvpn from dietpi-vpn, the connections works normally?
How to save my iptables configurations (and how to restore) if i some problems?

thanks a lot

trendy · 23 April 2023 14:30

These changes are not much affecting the vpn client, except that it enables the masquerade on tun0.
You can save the iptables with

iptables-save > /tmp/fw-backup

and restore with

iptables-restore < /tmp/fw-backup

black00019 · 28 April 2023 13:45

does the rule affect only the vpn client or all clients connected to the dietpi, for example those connected locally to pihole’s dhcp?

trendy · 28 April 2023 21:15

The rule is telling the system to use your ISP as uplink for the wireguard packets.

black00019 · 3 April 2024 12:26

Hi, I’m back on the topic after a long time, I’ll do a recap:
I have DIETPI with a PIVPN server with PIHOLE and UNBOUND;
I have a VPN with PROTONVPN provider

I would like DIETPI to act as a VPN gateway with PROTON for all my local devices (network 192.168.10.0/24)
Furthermore, I would like my SMARTPHONE with WIREGUARD that connects to the PIVPN SERVER to use PROTONVPN as a gateway
So both eth0 and wg0 must be able to have dietpi as a gateway with protonvpn.

I successfully connected with Proton through dietpi-vpn
and I ran this command:

sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

and devices on eth0 seem to have no problem dating with protonvpn.
instead the SMARTPHONE connected to PIVPN (wg0) sometimes works and sometimes doesn’t, it seems that when I disconnect it and reconnect to the VPN I can no longer access the internet or even the local devices

Maybe some iptables or routes command is missing?

Thank you

trendy · 4 April 2024 08:17

You know the drill.

black00019 · 4 April 2024 16:15

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.10.5/24 brd 192.168.10.255 scope global eth0
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.6.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.16.0.14/16 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.16.0.1 dev tun0 
default via 192.168.10.1 dev eth0 onlink 
10.6.0.0/24 dev wg0 proto kernel scope link src 10.6.0.1 
10.16.0.0/16 dev tun0 proto kernel scope link src 10.16.0.14 
128.0.0.0/1 via 10.16.0.1 dev tun0 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.5 
217.23.3.76 via 192.168.10.1 dev eth0 
local 10.6.0.1 dev wg0 table local proto kernel scope host src 10.6.0.1 
broadcast 10.6.0.255 dev wg0 table local proto kernel scope link src 10.6.0.1 
local 10.16.0.14 dev tun0 table local proto kernel scope host src 10.16.0.14 
broadcast 10.16.255.255 dev tun0 table local proto kernel scope link src 10.16.0.14 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.17.0.1 dev docker0 table local proto kernel scope host src 172.17.0.1 
broadcast 172.17.255.255 dev docker0 table local proto kernel scope link src 172.17.0.1 
local 192.168.10.5 dev eth0 table local proto kernel scope host src 192.168.10.5 
broadcast 192.168.10.255 dev eth0 table local proto kernel scope link src 192.168.10.5 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
# Generated by iptables-save v1.8.7 on Thu Apr  4 18:13:35 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[15831:11430521] -A FORWARD -j DOCKER-USER
[15831:11430521] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 2525 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[15831:11430521] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[15831:11430521] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Thu Apr  4 18:13:35 2024
# Generated by iptables-save v1.8.7 on Thu Apr  4 18:13:35 2024
*nat
:PREROUTING ACCEPT [5529:624754]
:INPUT ACCEPT [5323:556705]
:OUTPUT ACCEPT [5909:488103]
:POSTROUTING ACCEPT [5945:495267]
:DOCKER - [0:0]
[5092:527204] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[157:57769] -A POSTROUTING -s 10.6.0.0/24 -o eth0 -m comment --comment wireguard-nat-rule -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 2525 -j MASQUERADE
[13:3116] -A POSTROUTING -o tun0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2520 -j DNAT --to-destination 172.17.0.2:2525
COMMIT
# Completed on Thu Apr  4 18:13:35 2024

trendy · 4 April 2024 17:02

You didn’t follow the advice from earlier, so it’s no wonder it’s not working.

black00019 · 4 April 2024 18:50

With your command the vpn wireguard on my smarphone exit with my gateway 192.168.10.1 and not with proton

black00019 · 4 April 2024 19:04

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

iptables -A FORWARD -i tun0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wg0 -o tun0 -j ACCEPT

Whith this rule work, but i’m not sure…

trendy · 5 April 2024 07:46

How did you come to this conclusion? The gateway is used for the wireguard server outgoing packets and not for the forwarded.

The nat rule was already there and the forwards are not needed as you have an ACCEPT policy for forwarding.